Home Security Ethical Hacking Workshop

Ethical Hacking Workshop

By Rishalin Pillay , Mohammed Abutheraa
books-svg-icon Book
eBook $43.99 $29.99
Print $54.99
Subscription $15.99 $10 p/m for three months
$10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime!
What do you get with a Packt Subscription?
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
BUY NOW $10 p/m for first 3 months. $15.99 p/m after that. Cancel Anytime!
eBook $43.99 $29.99
Print $54.99
Subscription $15.99 $10 p/m for three months
What do you get with a Packt Subscription?
This book & 7000+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook + Subscription?
Download this book in EPUB and PDF formats, plus a monthly download credit
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with a Packt Subscription?
This book & 6500+ ebooks & video courses on 1000+ technologies
60+ curated reading lists for various learning paths
50+ new titles added every month on new and emerging tech
Early Access to eBooks as they are being written
Personalised content suggestions
Customised display settings for better reading experience
50+ new titles added every month on new and emerging tech
Playlists, Notes and Bookmarks to easily manage your learning
Mobile App with offline access
What do you get with eBook?
Download this book in EPUB and PDF formats
Access this title in our online reader
DRM FREE - Read whenever, wherever and however you want
Online reader with customised display settings for better reading experience
What do you get with video?
Download this video in MP4 format
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with video?
Stream this video
Access this title in our online reader
DRM FREE - Watch whenever, wherever and however you want
Online reader with customised display settings for better learning experience
What do you get with Audiobook?
Download a zip folder consisting of audio files (in MP3 Format) along with supplementary PDF
What do you get with Exam Trainer?
Flashcards, Mock exams, Exam Tips, Practice Questions
Access these resources with our interactive certification platform
Mobile compatible-Practice whenever, wherever, however you want
  1. Free Chapter
    Chapter 1: Networking Primer
About this book
The Ethical Hacking Workshop will teach you how to perform ethical hacking and provide you with hands-on experience using relevant tools. By exploring the thought process involved in ethical hacking and the various techniques you can use to obtain results, you'll gain a deep understanding of how to leverage these skills effectively. Throughout this book, you'll learn how to conduct a successful ethical hack, how to use the tools correctly, and how to interpret the results to enhance your environment's security. Hands-on exercises at the end of each chapter will ensure that you solidify what you’ve learnt and get experience with the tools. By the end of the book, you'll be well-versed in ethical hacking and equipped with the skills and knowledge necessary to safeguard your enterprise against cyber-attacks.
Publication date:
October 2023
Publisher
Packt
Pages
220
ISBN
9781804612590

 

Networking Primer

Welcome to the first chapter of this book. You are at the start of your journey toward ethical hacking, and by the time you complete this book, you will be well prepared to conduct an ethical hack.

Networking is the fundamental underlying backbone for all communication today. Back at the inception of the internet, networking was involved. When you pick up your mobile phone and dial someone, networking is involved. Watching videos on the internet, surfing the web, playing online games… the list goes on.

When it comes to hacking, networking is a crucial element. So, it is understandable that to get started with ethical hacking, you need to have a good understanding of networking. As you will learn in this chapter, networking is a key underlying feature that exists in all computer environments.

We will cover the following topics:

  • Why is networking crucial?
  • Networking concepts on-premises and in the cloud
  • Networking tools
  • Networking lab
  • Putting into practice what you have learned
  • Best practices
 

Technical requirements

To complete this chapter, you will require the following:

 

Why is networking crucial?

At the onset of this book, I mentioned just a few examples of how networking plays a role in our daily lives. I remember many years ago I purchased a cross-over network cable to play multi-player StarCraft with my brother sitting in the next room. This was a time when network switches were not so easy to come by. Back then, networking was relatively simple but looking at how it has evolved is amazing. In today’s world of big data, cloud networks, quantum computing, blockchain technology, smart homes, and more, we are surrounded by networks that range from simple to highly complex. If I had to sum up a few reasons why networking is crucial, here they are:

  • Enables collaboration and information sharing
  • Overcomes geographic separation
  • Enables communication across the world
  • Enables voice telephony over long distances
  • Enables the sharing of media and enables gaming
 

Networking concepts on-premises and in the cloud

Let’s dive into the building blocks of networks. Here, we will cover various components of networks that range from software, hardware, and standards. This chapter will not go into detail on networking because networking is such a broad topic, and some books just focus on networking. We will cover the necessities to ensure that you understand networking in the context of ethical hacking.

When you start to communicate on a network, the information that you are sending needs to be translated into something that computers can understand. Yes, ultimately, it’s all 0s and 1s, but let’s focus on the various pieces before that. We will begin by looking at packets.

Packets

When information is transmitted across a network or the internet, it needs to be formed into a unit that can be carried across a network. This is called a packet, or a network packet. This network packet contains information that ultimately gets routed to destinations on the internet. Think of a packet as an envelope that you would send using the postal service. You would put something inside that envelope, provide a return and destination address, and the postal service would sort and route it to the destination.

In terms of networking, the packet would contain a similar composition.

The contents inside the packet would be your data, the return address would be your Source MAC address and IP address, and the destination address would be your destination MAC and IP address. Now, there will be some routing involved, all of which is handled by hardware such as routers, which will make modifications to the different MAC and IP addresses.

MAC address

All devices that communicate on a network will have a networking interface card (NIC). This can be either an Ethernet or wireless adapter. Every single NIC has a unique identifier, which is called a media access control (MAC) address. This address aims to uniquely identify your machine on the network. MAC addresses are used by routers or switches (OSI Layer 2) to send packets to a specific destination. MAC addresses consist of 48-bit numbers that are written in hexadecimal format; for example, 00:00:5e:00:53:af. Every MAC address will have an organizationally unique identifier (OUI), which is the first 24 bits of the MAC address. The remaining 24 bits are used to uniquely identify the device. Looking at our example MAC address, if we had to break it down into the OUI and the device identifier, it would look like Figure 1.1:

Figure 1.1 – Breakdown of a MAC address

Figure 1.1 – Breakdown of a MAC address

IP addresses

Internet Protocol (IP) addresses enable data to be transferred across networks (OSI Layer 3). They are crucial to networking because they contain information that enables devices to communicate. Such information may be things such as location information, which enable devices to communicate with each other in dissimilar environments.

Tip

If you are looking for a refresher on the OSI model, please take a look at this link: https://www.networkworld.com/article/3239677/the-osi-model-explained-and-how-to-easily-remember-its-7-layers.html.

The makeup of an IP address contains numerals that are separated by a period. For example, 192.168.1.1 is an example of an IP address. Within an IPv4 network, the numbers can vary from 0 to 255 for each piece of an IP address, which means that an IP address can range from 0.0.0.0 to 255.255.255.255. Some of the addresses within that range are reserved for various purposes; you can find more information about these reservations in the following note. In an Internet Protocol version 6 (IPv6) network, an IPv6 address is a 128-bit alphanumeric value. This 128-bit value is arranged into eight groups of 16 bits. Each group is separated by a colon. IPv6 is the successor to IPv4, a previous addressing infrastructure with limitations that IPv6 was created to remedy. In comparison to IPv4, IPv6 has significantly more address space. Consider the following example of an IPv6 address: 684D:1111:222:3333:4444:5555:6:77. Here, you will notice how it differs from IPv4. Due to its size, it allows a significantly larger IP address space.

Note

IP addresses are assigned by the Internet Assigned Numbers Authority (IANA).

IP addresses are split into two categories: public and private. Private consists of IP address ranges that are not routable on the internet. These are generally what you would have on your local network, such as your Wi-Fi network and so forth. Public IP addresses are routable on the internet. Your internet provider would assign you a public IP address on your home network for you to access the internet. You can easily check what your public IP address is by searching for what's my IP on Google Search.

Now that we have the very basics of networking covered, let’s move on to cloud computing.

Cloud computing

Today, the term cloud computing is not unheard of. Many people working in the IT industry know about cloud computing and probably make use of it daily. When you work on email services, social media, online gaming, and so forth, this is all cloud computing in action. Major software companies such as Google, Microsoft, and Amazon offer cloud computing and a range of cloud services.

Note

There are a lot of other providers who offer cloud services, apart from those that I have mentioned. Performing a quick internet search for Cloud Service Providers will give you a comprehensive list.

In terms of cloud computing, various types of cloud setups exist. The most common ones today are the public cloud, private cloud, and hybrid cloud. There are differences between them, as described next.

Public cloud

A public cloud is administered predominantly by a third party. These cloud environments provide easy access to the public (hence the term public cloud) via the internet. Resources that are available here entail storage, compute, applications, and more. The key here is that anyone who wants to use these services can make use of them. Public clouds are cost-effective, relieving you from the expensive costs of having to purchase hardware, manage it, and so forth. With the public cloud, anyone with an internet connection can make use of the services. There are several security concerns with public clouds, especially when it comes to data residency and who has access to the data. However, many public cloud providers provide solutions to address this.

Private cloud

Private clouds offer services either over the internet or via a private internal connection. These are limited to selected users and not the public. You may find the terms corporate cloud or internal cloud often used interchangeably with public cloud. This cloud setup aims to provide the benefits of a public cloud with additional controls and, to an extent, additional customization where possible. Private clouds are said to provide a higher level of security concerning data confidentiality – it limits access to third parties. The drawback of a private cloud is that it requires staff to maintain it.

Hybrid cloud

A hybrid cloud combines both public and private cloud solutions. It enables data to be shared between them. This cloud aims to enable organizations to scale where needed, but also provide limited access to restricted data where possible.

If I had to describe cloud computing in simple terms, it is the delivery of computing services that make use of servers, databases, networking, software, storage, and more. All of this is delivered across the internet, referred to as the public cloud. Cloud computing aims to offer faster innovation, flexibility when it comes to resources, and scalability, enabling you to up or downscale your resources with ease. Cloud computing offers various operating models:

  • Infrastructure-as-a-Service (IaaS)
  • Platform-as-a-Service (PaaS)
  • Software-as-a-Service (SaaS)

Cloud computing providers often have a shared responsibility model that describes the responsibility and security tasks that are handled by the provider and the customer. These responsibilities and tasks change as you use different operating models.

The following figure is a sample of Microsoft’s shared responsibility model. Notice how the responsibilities change between SaaS to on-premises:

Figure 1.2 – Microsoft shared responsibility model (Source: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility)

Figure 1.2 – Microsoft shared responsibility model (Source: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility)

All cloud providers will provide some type of responsibility matrix – for example, Amazon Web Services has theirs (https://aws.amazon.com/compliance/shared-responsibility-model/), and the same goes for Google Cloud (https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate).

Let’s cover these briefly so that you understand what each model offers. It is important to have a good understanding of these as you prepare for an ethical hack because it gives you insight into who handles the security of the target components such as the operating system and application updates and so forth.

Infrastructure-as-a-Service

IaaS is a standardized method of obtaining computing resources on demand. These services are delivered through the internet via a cloud provider. These services include storage facilities, networks, computing power, and virtual private servers. These are invoiced on a pay-as-you-go basis, which means you are billed based on different criteria, such as how much storage you use or how much processing power you utilize over a set period. Customers do not need to maintain infrastructure under this service model; instead, the provider is responsible for ensuring the contractual quantity of resources and availability.

Some of the advantages of IaaS include the following:

  • Very flexible cloud computing model
  • Ability to easily automate the deployment of services such as storage, processing power, network, and so forth
  • Highly scalable
  • Resources can be purchased as needed

As with everything in the computing world, there are security concerns. With IaaS, the following can be seen as security concerns:

  • Security threats to system vulnerabilities
  • Legacy operating systems in the cloud
  • Multi-tenant security, whereby you rely on the vendor to ensure the separation of customer environments

Some examples of IaaS include compute services purchased from cloud vendors. Common use cases of IaaS can be found in large organizations that want to purchase and pay for what they consume, or organizations that are rapidly expanding and need the scalability of hardware.

Software-as-a-Service

SaaS aims to provide web-based solutions. These solutions are controlled by the supplier, which is great as it relieves the pressure of maintaining the software, infrastructure, security of the application, and so forth. SaaS services are often billed by the amount of data stored, number of transactions, number of users and usage, and so on.

The advantages of SaaS include the following:

  • Reduce overhead in time and money spent on installing, managing, and upgrading software
  • Providers upgrade the solutions, thereby putting you on the latest solution all the time
  • Baked-in best practices enable you to test the solution with a good security posture from the get-go

The limitations that exist with SaaS can include the following:

  • Data security in terms of large volumes of data exchanged by backend data centers. These transfer business-sensitive data that, if not properly secured, can lead to exposure.
  • Lack of control since this is handled by the provider or third parties.
  • Reliance on the vendor’s security controls to ensure that the application is secured.

Typical examples of SaaS solutions include Dropbox, Cisco Webex, and Salesforce. The use cases of SaaS can be seen in applications that need both web and mobile access, collaboration solutions that exist on the internet, and more.

Platform-as-a-Service

PaaS provides a bridge between IaaS and SaaS services. PaaS aims to provide customers with a platform that is cloud-based that can be used to build and distribute applications without the need to install integrated development environments (IDEs). Users can also typically specify whatever features they want to be included in their subscription.

There are advantages to PaaS, some of which are as follows:

  • Cost-effective deployment of applications
  • Easy of deployment with high scalability
  • Apps can be customized without the need to maintain the underlying software

Concerning the advantages, there are also limitations and concerns. Some of these are as follows:

  • Integrations with outside data centers or on-premises increase, increasing the possible attack surface.
  • Third-party data residency poses security risks as to who might be able to view that data. A lack of security controls on the data could be possible.
  • Integrations with existing applications could become problematic.

Typical examples of PaaS in the cloud are Heroku, OpenShift, and App Engine. PaaS is beneficial when it comes to streamlining workflows that are leveraged by multiple developers. It also provides speed and flexibility to these workflows.

This section aimed to give you an overview of cloud solutions, the different operating models, and how the shared responsibility of the cloud works. As you craft your ethical hack methodology, you should take this into account in the event your target is making use of cloud services.

 

Networking tools and attacks

In this section, we will start to cover some of the attacks that exist and the tools that you can use to carry them out. As traffic traverses a network, you can perform various attacks, such as capturing the traffic and looking at what it contains, intercepting traffic and misdirecting it, acting as a man in the middle, poisoning results, and more. Let’s begin with capturing packets as they traverse the network.

Packet capturing

Packet capturing is also known as sniffing. This is the process of capturing packets as they traverse the network to look inside and discover any valuable information. By performing packet capturing, you can see all sorts of traffic. This can be both protected and unprotected traffic. Various tools exist that can perform packet capturing. The most common tool that you will hear people talking about is Wireshark. There are more tools, including native tools, within routers and switches that allow you to capture packets. The key is not to understand how each tool works, but rather how packet capturing works and what the benefits are. We will cover packet capturing in more depth in Chapter 2, Capturing and Analyzing Network Traffic.

Wireshark can be downloaded from https://www.wireshark.org/download.html and supports almost all operating systems, but best of all, it’s free! Installing Wireshark is straightforward; let’s focus more on the tool itself and how to use it. If you are using Kali Linux, Wireshark will already be installed. The following figure shows the main dashboard of Wireshark:

Figure 1.3 – Wireshark dashboard

Figure 1.3 – Wireshark dashboard

The dashboard may seem a bit daunting but let me explain all the components. We will begin with the toolbar, where I will highlight the icons and their functions in the following tables.

In the first table, we will cover the functions that you will interact with when starting a packet capture:

Icon

Name

Description

Start Icon

Start

This starts a capturing session, using either the defaults or the last set of options from a previous session

Stop Icon

Stop

This will stop a currently active capture session

Restart Icon

Restart

This can be used to restart the packet capturing session

Options Icon

Options

This button will open Capture Options

Open Icon

Open

This can be used to open a saved capture for analysis

Save As Icon

Save As

This button can be used to save your current capture to a file

Close Icon

Close

Use this button to close the currently open capture file

Table 1.1 – Wireshark icons used for packet captures

The next set of functions enables you to work within the packet capture file:

Icon

Name

Description

Find Packet

Find Packet

This button can be used to find specific packets based on various criteria that you define

Go Back

Go Back

This button allows you to go one step back in the packet history

Go Forward

Go Forward

This button allows you to jump one step forward in the packet history

Go To Packet

Go To Packet

This will enable you to move to a specific packet

Go to First Packet

Go to First Packet

Jumps to the first packet in the capture file

Go to Last Packet

Go to Last Packet

Jumps to the last packet in the capture file

Table 1.2 – Wireshark icons for working with the capture file

Next, you have the main interface view, as per the following figure. This will show you which interfaces have active traffic on them, and which ones are not seeing any traffic. This is depicted by a line next to the interface number. In the following figure, you can see that the Ethernet0 and Adapter for loopback traffic capture interfaces are seeing traffic:

Figure 1.4 – Wireshark interfaces that have traffic

Figure 1.4 – Wireshark interfaces that have traffic

Starting a packet capture with Wireshark is simple. First, you need to select the interface that you would like to capture traffic on. Next, you must click on the Start button to start capturing packets. You will then see results appear in the main display window. The following figure is an example of ARP requests on the network:

Pro tip

ARP stands for Address Resolution Protocol. It is used to discover the local MAC address of the endpoint by using its IPv4 address.

Figure 1.5 – ARP requests

Figure 1.5 – ARP requests

When you perform packet captures, you need to filter the output to look for your specific results. The display filter within Wireshark does just that. You can see it when you look at Figure 1.5 – specifically the text in the green bar, stating eth.dst == ff:ff:ff:ff:ff:ff:ff:ff. When you type text in the display filter, Wireshark will offer a list of suggestions based on what you have typed in. It also provides a way for you to see if the filter will work or not – for example, if the bar turns yellow, this means that the display filter was accepted but may not work as you expected. If it turns red, it means that the filter was not accepted and will not work. If it turns green, then the filter has been accepted

The following table defines a few useful filters:

Filter Syntax

Description

ip.addr == 192.168.1.1

Filter by IP address

ip.dst == or ip.src = =

Filter by either source or destination IP address

tcp.port == 80

Filter by a specific TCP port

tcp.dstport == 80

Filter by a specific destination port

frame.time >= “april 28, 2022 13:00:00”

Filter by a specific timestamp

Tcp.flags.syn == 1

Filter to look for a SYN flag

Table 1.3 – List of useful filters to use

There is an extensive list of filters that are well documented on Wireshark’s documentation page. You can find the complete list here: https://www.wireshark.org/docs/dfref/.

Now that we have an idea of how to capture packets with Wireshark, let’s move on to spoofing. We will focus on MAC address and ARP spoofing techniques.

MAC address spoofing

As we have identified, every network interface has a unique MAC address. MAC address spoofing is a type of computer identity theft that involves altering the MAC address on the NIC. MAC address spoofing techniques are commonly used when attempting to break into a LAN environment by assuming the identity of an authorized computer. For example, some networks may whitelist MAC addresses. If you can discover that whitelisted MAC address, you can assume its identity. You can spoof your MAC address to masquerade as a different device on the network.

Let’s look at how to perform MAC address spoofing. For this, we will use Kali Linux and the macchanger tool.

From a Terminal window, issue the macchanger --help command. This will show you all the options that are available to use with the tool, as shown in the following screenshot:

Figure 1.6 – macchanger usage options

Figure 1.6 – macchanger usage options

Before we use the tool, let’s verify our current MAC address. You can do this by using the ifconfig command, followed by your interface. In my case, this is eth0, as per the following figure:

Figure 1.7 – Current allocated MAC address

Figure 1.7 – Current allocated MAC address

Currently, my MAC address (called ether in Linux) is 00:0c:29:77:2c:99. Now, let’s modify this to some random value. This can be done in one easy step:

We will issue the sudo macchanger -r eth0 command. I am using the sudo command since my current user does not have root permissions. You can also make use of the sudo -i command, which will move you to the root user, after which you won’t need to prepend the commands with sudo. -r is used to generate a random MAC address; I could use other options if required. For example, I could set a random MAC address of the same kind using the -a switch, though keep in mind that this switch will keep the same vendor OUI as your current vendor. Lastly, I define my interface, which is eth0.

Tip

If you experience an ERROR: Can’t change MAC: message, then you will need to execute the ifconfig eth0 down command before running the macchanger command (this will switch your network interface OFF).

Once you run the macchanger command, remember to turn the interface back ON by using the ifconfig eth0 up command.

The results presented in the following figure show that the interface now has a new MAC address of 06:1d:9f:2f:db:f6:

Figure 1.8 – Using macchanger to set a random MAC address

Figure 1.8 – Using macchanger to set a random MAC address

If you want to define your own MAC address, you can use the following command:

$ sudo macchanger  --mac XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX

Note

If you are using a Windows environment, some network cards provide the functionality to change your MAC address within the interface properties.

As you have seen, randomizing your MAC address is a simple yet very effective task when it comes to either stealing an identity or masquerading on a network. Now, let’s move on to ARP spoofing.

ARP spoofing

Before we dive into ARP spoofing, let’s put the ARP into perspective. Think of MAC addresses that identify who you are; these are physical identifications. IP addresses are used to identify where you are. ARP tables are used to manage the relationship of who and where you are.

The ARP is used to discover the MAC address related to an IP address. For example, if a router needs to send data to a computer that holds the IP address of 192.168.1.20, it needs to know the MAC address and to discover this, it will send an ARP query. ARP queries are not limited to routers; other devices, such as wireless routers, switches, and computers, all work with the ARP protocol.

In an ARP spoofing attack, the attacker sends fake ARP responses to a victim. These responses essentially tell the victim that the attacker’s MAC address maps to something else, such as a router’s IP. This means that the victim would send packets that were originally destined for the router to the attacker as the router’s MAC address would be replaced with the attacker’s MAC address. ARP spoofing is a typical example of a man-in-the-middle (MITM) attack.

Note

An MITM attack occurs when an attacker listens in on the communication between a user and an application. The intent could be to either spy on the conversation with the intent to gain valuable information or to modify the conversation and redirect the communication to devices that the attacker controls.

The following diagram shows how an MITM attack works:

Figure 1.9 – Man-in-the-middle attack (Source: https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/)

Figure 1.9 – Man-in-the-middle attack (Source: https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/)

Pro tip

Remember that for Kali Linux to forward packets on behalf of other machines, you need to enable IP forwarding. This needs to be done by issuing the echo 1 > /proc/sys/net/ipv4/ip_forward command as root.

To perform an ARP spoofing attack, you need to leverage additional tools within Kali Linux. The tool suite that we will need to use is called dSniff. dSniff contains several tools that can be used to listen to and create network traffic.

The tool can be installed using the following commands:

  1. First, we must switch to the root user using the following command:
    sudo -i
  2. Next, we must ensure that we have the latest package updates by issuing the following command:
    apt-get update
  3. Finally, we must install the tool suite using the following command:
    apt-get install dsniff

Within the toolset, we will make use of arpspoof, a tool that will execute the ARP spoofing attack.

Let’s break down this command. The -i flag represents the interface that you want to use to spoof ARP requests, while the -t flag specifies the target that you would like to poison. You can leave this option out but then arpspoof will poison all targets on the network.

When you run the command, the output would look like what’s shown in Figure 1.10. Within the output, you will find the first MAC address (0:c:29:77:2c:99), which belongs to the Kali Linux machine. The second MAC address (0:c:29:ec:1e:7b) belongs to the target machine. You then have the type field (0806), which indicates that an ARP packet is contained inside the Ethernet frame. Next, you have the byte size (42) of the Ethernet frame. The ARP reply section shows what the ARP message looks like when it is seen by the target. Essentially, it forces the victim to update its ARP table so that the IP address of the router (192.168.111.2) is now at the MAC address of the Kali Linux machine:

Figure 1.10 – Results of using the arpspoof command

Figure 1.10 – Results of using the arpspoof command

When you perform an ARP spoofing attack, you need to also trick the router into believing that you are the target. To do that, you need to issue the same command but this time, reverse [ROUTER_IP] and [TARGET_IP]. The command would be as follows:

$ sudo arpspoof -i [INTERFACE] -t [ROUTER_IP] [TARGET_IP]

You will get a chance to perform an ARP spoofing attack in the upcoming section. But first, we need to build a working lab environment that we will use throughout this book. As we progress through this book’s chapters, we will add additional components to the lab; these components will be introduced at the start of each chapter.

 

Setting up the lab

To perform the various exercises throughout this book, you will need to have a lab environment setup. In this section, I will walk you through building the lab environment. We will add to this environment as we progress through this book. So, let’s begin with the initial setup.

First, you will need to use a virtualization platform if you are building this locally on your PC. Common virtualization platforms include VirtualBox, which is free and can be downloaded from https://www.virtualbox.org/wiki/Downloads, and VMware Workstation. VMware Workstation has two editions: the VMware Workstation Player, which is free and can be downloaded from https://www.vmware.com/nl/products/workstation-player/workstation-player-evaluation.html, and a paid-for version called VMware Workstation Pro.

Pro tip

I do not recommend using Microsoft Hyper-V since this platform does not allow you to natively interact with hardware. For example, if you had to use a wireless network card for packet capturing, you would not be able to do this with Microsoft Hyper-V.

For this chapter, we will set up the lab as per the following diagram. We will use pfSense as an open source router, which will provide internet access to the lab environment. All devices will have a private IP address in the 192.168.1.0/24 range. The pfSense virtual router will have two network interfaces, one in bridged mode and the other connected to the private subnet of the lab environment.

Figure 1.11 – Lab diagram

Figure 1.11 – Lab diagram

We will begin by setting up our virtual network within the hypervisor. Within VMware Workstation, this can be done from EDIT | Virtual Network Editor, as per the following figure. Ensure that this is set to Host-only since we want this network to simulate a private subnet of 192.168.1.0/24:

Figure 1.12 – Virtual network configuration on VMware

Figure 1.12 – Virtual network configuration on VMware

For VirtualBox, this can be done at File | Host Network Manager, as shown in the following screenshot:

Figure 1.13 – Virtual network editor in VirtualBox

Figure 1.13 – Virtual network editor in VirtualBox

Once you have the networks configured, you can proceed to install pfSense. The installation is straightforward. You will need to download the ISO file from https://www.pfsense.org/download/; remember to select the architecture according to AMD64. Once you have downloaded this, you will proceed to create a new virtual machine on your hypervisor. Remember to set your ISO file as the boot image so that you can install pfSense.

Pro tip

The steps to set up a new virtual machine for VMware are detailed here: https://kb.vmware.com/s/article/1018415.

The steps to set up a new virtual machine for VirtualBox are detailed here: https://docs.oracle.com/cd/E26217_01/E26796/html/qs-create-vm.html#:~:text=To%20create%20a%20new%20virtual,VirtualBox%20command%20in%20a%20terminal.

Ensure that your pfSense setup has two network interface cards – one set to bridged mode (this will enable it to communicate with the internet) and one set to your host-only network. Once you have installed pfSense, ensure that you remove the ISO file from its boot sequence; otherwise, you will have a setup loop. When pfSense boots up, you should see something like what’s shown in the following screenshot – one interface card bridged with your network (WAN) that has internet access and the other connected to your host-only network (LAN):

Figure 1.14 – pfSense IP configuration

Figure 1.14 – pfSense IP configuration

Once you’ve done this, you can leverage the pre-built virtual machines from Kali Linux. Kali makes both VMware and VirtualBox images readily available for download. Simply download the one that matches the hypervisor you are using. Once extracted and booted up, you should be able to log in using the default username and password of kali/kali. Remember that your Kali Linux network interface card should be set to Host-only.

The last step is to set up Windows 10. I recommend that you make use of Windows 10 Pro throughout this book. Your Windows 10 virtual machine should also make use of the Host-only network.

Note

You may need to manually configure an IP address on the private subnet for both the Kali and Windows virtual machines in case DHCP does not assign any IP address.

At the end of your lab setup, you should have three virtual machines configured. You should be able to ping each of them on their local private IP subnet and be able to browse the internet from the Kali and Windows machines. Now that we have set up the lab, let’s work on some exercises based on what we have covered in this chapter.

 

Putting what you have learned into practice

With the lab set up, let’s perform an ARP spoofing attack. In this attack, we will send malicious packets to the Windows 10 machine spoofing the MAC address of the pfSense router. In my environment, the pfSense router has an IP address of 192.168.1.1 and the Windows 10 machine has an IP address of 192.168.1.20.

Before we begin, we will enable Kali to perform packet forwarding using the following commands:

$ sudo -i
$ echo 1 > /proc/sys/net/ipv4/ip_forward

From the Kali machine, open a Terminal window and issue the following command. This will begin to spoof ARP packets toward the Windows 10 machine:

$ sudo arpspoof -i eth0 -t 192.168.1.20 192.168.1.1

The command will continue to run indefinitely until you cancel it with the Ctrl + C key sequence. The output will look as follows:

Figure 1.15 – ARP spoofing the Windows 10 machine

Figure 1.15 – ARP spoofing the Windows 10 machine

Since we want to intercept traffic and perform an MITM attack, we will conduct an arpspoof attack toward the router. Here, we are telling the router that all traffic destined to the MAC address belonging to 192.168.1.20 (Windows 10 machine) is our MAC address (Kali Machine). Kali will then perform the packet forwarding between the router and the Windows 10 machine.

In a new Terminal window, run the following command. This will start to spoof ARP packets towards the pfSense router:

$ sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.20

The output will look as follows:

Figure 1.16 – ARP spoofing the pfSense router

Figure 1.16 – ARP spoofing the pfSense router

As the two commands run, both the pfSense router and the Windows 10 machine should now have poison ARP entries. From here, we can intercept the packets and see all the communication between the Windows 10 machine and the router.

A great tool to quickly view web traffic is called URLSnarf, which is part of the dSniff suite. You can try this out in your lab by entering the following command:

$ sudo urlsnarf -i eth0

This command will inspect all web traffic and provide you with the URLs that are being accessed. A sample of this can be seen in the following screenshot:

Figure 1.17 – Viewing URLs accessed by the target with urlsnarf

Figure 1.17 – Viewing URLs accessed by the target with urlsnarf

If you want to capture all the traffic, this is where you can make use of Wireshark. Using what you have learned earlier, launch Wireshark on Kali Linux and perform a packet capture on the interface that you are using for the ARP spoofing attack. Do you see anything interesting? Generate some web traffic from the target machine and look at the packet capture – for example, browse to a website, log in, and look at the packet captures.

 

Best practices

When it comes to detecting attacks such as an ARP spoofing attack, things can become tricky. Having encryption in place for all internet traffic can help protect your session from any eavesdropping. Many browsers now require that websites support some type of encryption. There are also web extensions that can easily notify you if you are browsing a non-encrypted website. An example of such an extension is the HTTPS Everywhere extension (https://www.eff.org/https-everywhere). You will also find that modern network appliances have some sort of anti-spoofing techniques available that can, to some extent, protect against spoofing.

 

Summary

In this chapter, we covered some concepts of networking at a high level. We looked at cloud environments and the differences between various offerings. We also dove into networking tools that can be used to capture packets and looked at some spoofing techniques and tools that are available today. In the next chapter, we will focus on packet capturing in more depth and dive deeper into the tools before introducing wireless packet captures.

About the Authors
  • Rishalin Pillay

    Rishalin Pillay is an Offensive Cybersecurity expert who holds a number of awards and certifications from multiple companies in the Cybersecurity industry. He is well known for his contributions to online learning courses related to Red Teaming and as the author of Learn Penetration Testing. He holds Content Publisher Gold and Platinum awards for his contributions made towards the Cybersecurity Industry, including the Events Speaker Gold award for influential public speaking at Tier-1 business events.

    Browse publications by this author
  • Mohammed Abutheraa

    Mohammed Abutheraa is Cybersecurity specialist who has over 15 years of experience in IT security, risk management, security infrastructure, and technology implementation in both private and public sector environments. He worked as Incident Response and Remediation Advisor and supported customers remediating against major incidents in the last years. He has experience in Threat Intelligence and Proactive Services like Vulnerability Assessments and Red / Purple Teaming experiences.

    Browse publications by this author
Ethical Hacking Workshop
Unlock this book and the full library FREE for 7 days
Start now